CVE-2022-36453: A Security Vulnerability in the MiCollab Client API of Mitel MiCollab 9.1.3 through 9.5..101 Exploitable by Authenticated Attackers

Mitel MiCollab is a software platform that provides collaboration and communication tools for businesses. It helps in bringing teams together by providing voice, video, and instant messaging (IM) services. MiCollab is widely utilized by various teams and organizations to streamline their communication and foster effective collaboration.

Recently, a security vulnerability, identified as CVE-2022-36453, has been discovered in the MiCollab Client API of Mitel MiCollab version 9.1.3 through 9.5..101. This vulnerability could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. By exploiting this vulnerability, an attacker could effectively take control of another extension number.

Exploit Details

The vulnerability stems from insufficient authorization controls in the MiCollab Client API, which handles user profile updates. An authenticated attacker can craft a malicious request to the API to change their profile parameters, like their extension number, and assume control over another extension. This can lead to unauthorized access to confidential information and potentially disrupting communication within the affected organization.

To exploit this vulnerability, an attacker must first authenticate themselves to the MiCollab system and gain access to the user interface (UI). Once authenticated, the attacker can send a malicious HTTP request to the MiCollab Client API to modify their extension number:

POST /api/extensions
{
  "userid": "attacker",
  "extension": "target",
  "operation": "update"
}

operation: "update" indicates that the request is to update the attacker's profile parameter.

Upon successful exploitation, the attacker can now control the targeted extension number and access its associated resources directly.

Mitigation

Mitel has acknowledged the vulnerability and has recommended users to apply the latest software updates and patches to address the issue. These are available in the recent version of MiCollab (9.5..101) or later.

For more information about the vulnerability, please refer to the original references listed below

1. CVE-2022-36453: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36453
2. Mitel MiCollab Security Advisory: https://www.mitel.com/en/security-advisory

Conclusion

The security vulnerability CVE-2022-36453 exposes a critical flaw in the MiCollab Client API of Mitel MiCollab 9.1.3 through 9.5..101 that could allow an authenticated attacker to modify their profile parameters and control another extension number. Users of affected versions are advised to update their software to the latest version, as recommended by the vendor. Ensuring that the appropriate security patches and updates are applied promptly can protect your organization from such exploits and potential security breaches.

Timeline

Published on: 10/25/2022 18:15:00 UTC
Last modified on: 10/28/2022 19:21:00 UTC